Abstract

Password attacks are a well studied, but still dangerous
form of attack. They are often performed together with other attacks. If
even a small amount of information is gathered through other means, it can
assist in manual password attacks. Even without this data, there are
automated tools, which can guess many passwords in a short period of time.
A look at the techniques used to guess passwords will reinforce the need to
use strong password procedures and policies as protection.

In Combination with other Attacks

Attacks on passwords are often carried out in
conjunction with other attacks. The more information an attacker can gain
about a system and about individual users, the greater his chance of success
in a password attack. The starting point can be as simple as searching the
company's web site for user names and system hardware. It can expand to
social engineering and dumpster diving. The attacker may actually get a
password with these attacks, but more likely they will get information about
the company and employee names that will help in future password guessing.
With even a small amount of data, a manual or automated attack can be
launched.

Manual Attacks

Manual attacks usually start with the easiest to guess
passwords. This is often no password at all or words like "password,"
"guest," or "secret." One study found that "around 50% of computer users
base [passwords] on the name of a family member, partner or a pet. Thirty
percent look to a pop idol or sporting hero." [1] With just a little
personal data, many passwords can be guessed.

If the attacker has learned what hardware or software
you use, they will know the common default password settings, and begin
guessing with these. "For example Computer Associates ARCServ backup
software creates a highly privileged user account called "arcserve," which
is usually set with a password of "arcserve" or "backup." [2] Armed with
knowledge like this, the attackers guessing job is easy. A company's
operating procedures must ensure that all default passwords are changed when
new hardware and software is installed.

Automated Attacks

If the attacker fails in a manual attack, they may move
to an automated attack. There are many free programs, which can assist in
this. Legion, Jack the Ripper, NetBIOS Auditing Tool (NAT), and L0phtCrack
(LC4) are some of them.

Automated password attacks can be divided into two basic
categories, dictionary attacks and brute force attacks. "A simple
dictionary attack is by far the fastest way to break into a machine. A
dictionary file (a text file full of dictionary words) is loaded into a
cracking application such as L0phtCrack, which is run against user accounts
located by the application. Because the majority of passwords are often
simplistic, running a dictionary attack is often sufficient to do the job."
[3]

The brute force method is the most comprehensive and the
slowest. It will try every possible letter and number combination in its
automated search. Less time consuming than this attack is a hybrid approach
which starts with a dictionary and then tries combinations such as two words
together or a word and numbers.

Many systems only allow several guesses at a password
before the user is locked out. In that case automated programs will not
work well on-line. But if a password file can be stolen, even in encrypted
or hashed form, these programs can guess off-line. Then, success is only a
matter of time. But, if the password is long enough that can be a long
time. "Although some password cracking programs can test nearly 8 million
combinations every second on the latest Pentium 4 processor, breaking an
eight-character password would still take more than 13 years on average."
[4]

Internal vs. External Attacks:

Password attacks can come from outsiders or people
inside the company. Insiders are particularly dangerous. They have
physical access to your network, user desktops and other materials. They
also know your password and login creation procedures. An insider can place
a sniffer or protocol analyzer (such as Sniffer Pro or Etherpeek) on his
machine, and watch network traffic. He will gather information off the
network, a desktop, or just by watching someone type, that can assist a
password attack.

Perhaps most importantly, they have access to
information about users. This can make guessing easy. For example, if
your boss played football for Michigan St., you might try to login as him
with "Spartans" as your password.

Defensive Passwords

We can see from the overview of attack styles, that many
defenses are straightforward. To protect from social engineering and
dumpster divers, passwords should never be written and left around the
desktop. Users need to be aware of the threat and take personal
responsibility not to give their personal computer information to someone
they do not know. Disposal of waste paper is also a company security issue.
This is just another example of why trash should be shredded or destroyed.

From a technical standpoint, security can be tightened
by using standards such as the US government's "Federal Information
Processing Standards Publication 112" (FIPS PUB 112). [5] This standard's
recommendations for a high level of protection include: a password length of
6-8 randomly generated characters, using all 95 characters (upper and lower
case, numerals and special characters), and changing the password every
month.

Summary

Password security is a well-studied problem. The attack
methods are well understood. And yet, systems are constantly found to be
vulnerable to this type of attack. It points to an issue with corporate
security policy. In this case, security is not a major technical issue.
What is required is establishing a solid policy and a lot of continuous work
adhering to the policy. The natural tendency for companies and users is to
let these issues slide. The result can be a wide-open system to outsiders.